Time and again, governments have used crises to expand their power, and often their intrusion into citizens’ lives. The COVID-19 pandemic has seen this pattern play out on a huge scale. From deployingdronesorankle monitors to enforce quarantine ordersto proposals to useface recognitionorthermal imaging camerasfor monitoring public spaces, governments around the world have been adopting intrusive measures in their quest to contain the pandemic.

EFF has fought for years against the often secretive governmental use of cell phone location data. Governments have repeatedly sought to obtain this data without a court order, dodged oversight of how they used and accessed it, misleadingly downplayed its sensitivity, and forced mobile operators to retain it. In the past, these uses were most often justified with arguments of law enforcement or national security necessity. Now, some of the same location surveillance powers are being demanded—or sometimes simply seized—without making a significant contribution to contain COVID-19.Despite thelack of evidenceto show the effectiveness of location data to stop the spread of the virus, a number of countries’ governments have used the crisis to introduce completely new surveillance powers or extend old ones to new COVID-related purposes. For example, data retention laws compel telecom companies to continuously collect and store metadata of a whole population for a certain period of time. In Europe, the Court of Justice of the European Uniondeclared such mandates illegal under EU law.

Like other emergency measures, it may be an uphill battle to roll back new location surveillance once the epidemic subsides. And becausegovernments have not shown its effectiveness, there’s no justification for this intrusion on people’s fundamental freedoms in the first place.

Individualized Location Tracking

Mobile carriers happen to know their subscribers’ phone’s locations (usually the same as the locations of the subscribers themselves) from moment to moment because of the way cellular networks work. That knowledge has turned into one of the most extensive data sources for governments—and not infrequently advertisers, stalkers, or spies—interested in tracking people’s movements. But while phone location data is sufficient to show whether someone went to church or the movies, it simply is not accurate enough to show whether two people were close enough together to transmit the virus (commonly characterized as a distance of two meters, or about six feet).

While location surveillance is problematic at any time, the coronavirus crisis has led to a rapid uptick in its use; many measures to facilitate it have been passed by fast-tracked legislative procedures during national state of emergencies. Some governments have even bypassed legislators entirely and relied on executive power to roll out expanded location surveillance—making it even less transparent and democratically legitimate than usual. Governments may use the urgency of the crisis to erode limits on the ways people’s location histories can be used, demand this data be turned over to authorities in bulk, or require companies to stockpile records of where their customers have been.

COVID-inspired cell phone location surveillance around the globe

Attempts at rapid expansions of government location surveillance authority have come to light in at least seven countries.

InIsrael,in a significant win for privacy, Israel’s High Court of Justice has recentlyrevokedthe authorization of the police to access location data for contact tracing without a court order. On March 16th, the government had approved emergencyregulations,48 hours afterPrime Minister Benjamin Netanyahuannouncedhis government’s intention to approve health tracking methods. The regulations enabled both the police and Israel’s domestic security agency (usually known as Shabak or Shin Bet, after its Hebrew acronym) to track the whereabouts of persons that might be infected or are suspected to be infected with COVID-19 without a warrant. Theemergency regulationhas now been suspended, and the Court hasorderedthat the government address the use of mobile phone tracking through legislation. Despite the win, the fight against warrantless access to location data is far from over: on May 5th, the parliament’s Intelligence Subcommittee voted 6-3 toextendthe Shin Bet’s warrantless access to location data to track infected people, while the government is working towards advancinglegislationto enable this form of surveillance more permanently. Right after the approval of the emergency regulations on March 16th, the Association for Civil Rights in Israel filed apetitionto Israel’s High Court stressing the need to protect democracy during the pandemic:

Democracy is measured precisely in those situations when the public is afraid, exposed day and night to nightmare scenarios […]. Precisely in such moments, it is vital to act in a considered and level-headed manner, and not to take draconian and extreme decisions and to accustom the public to the use of undemocratic means […].

InSouth Africa, where astate of disasterhas been in place since March 15th, the government amended a law to create aCOVID-19 Tracing Database. The database will include personal data of those who are infected or suspected to be infected of COVID-19, including their COVID-19 test results, as well as the details of those who have come or are suspected to have come into contact with them. TheActauthorizes the Director-General of Health to order telecom companies to disclose the location of infected or suspected to be infected person, without prior notice, as well as the location of those who were in contact or suspected to have been in contact with them, and to included all of this data in theCOVID-19 Tracing Database. The law was met with severebacklash from civil society, and has since been amended twice. In a win for privacy, the lastamendmentdeleted the provisions that obliged telecommunications companies to disclose location data for inclusion in that database.

Poland, which has been in astate of emergencysince mid-March, has a track record of encroaching on the rule of law, eventriggering the EU’slegal process for addressing violations of European values. The EU Commissionhas statedthat the Polish judiciary is under “the political control of the ruling majority. In the absence of judicial independence, serious questions are raised about the effective application of EU law.” Now with COVID-19, the Polish governmenthas also introducedseveral COVID acts, providing new surveillance powers for the executive. Article 11 of theCOVID-19 actobliges telecom operators to collect and give access to location data of people infected with COVID-19 or those under quarantine upon a simple request, as well as aggregate location data of an operator’s clients. The new legislation states that these measures will remain in place until the pandemic has ended.

Slovakiais another eastern European country that has expanded telecom companies’ obligations to retain metadata during the crisis. Slovakia has been in a partialstate of emergencysince March 15th, during which severalamendmentsto the country’s telecommunications act werefast trackedthrough parliament. The amendments, which immediately causedoutrage, authorized national health authorities to obtain location data from telecommunications operators in the context of a pandemic. As in Poland, theamended lawallows both for the retention of anonymized aggregate data, as well as for individual location data. After beingchallengedbefore the Slovakian Constitutional Court, these measures have recently beensuspendeddue to their vagueness and insufficient safeguards against misuse.

Croatia’sgovernment attempted to introduce similar, fast-trackedamendmentsto the country’s electronic communications law. The bill would have authorized the exceptional processing of location data to “protect national and public safety,” and would have obliged telecommunications operators to share the data with the Ministry of Health. As in other countries, the proposal was met withoutrageamongcivil society,experts,andopposition, as more than forty civil society organizations signed ontoa letterdemanding the government to withdraw the bill. The criticism was eventuallysuccessful,but the Croatian example underlines the wider pattern of states looking to expand at any opportunity new surveillance powers in the crisis,in the Balkansand beyond.

Bulgaria,yet another Eastern European country inastate of emergency, has passed anemergency law, which included amendments to the country’selectronic communications act. The law nowobligestelecommunications companies to store and (upon request) provide metadata to competent authorities, including the police, to monitor citizens’ compliance with quarantine measures. The law does not require requests to be authorized by courts but merely provides for aafter-the-fact judicial review processwhich the country also uses when retaining data to prevent terrorist attacks. Not limited in time, the measures willremain in forceeven after the state of emergency has come to an end. Like Poland, Bulgaria has been showingauthoritarian tendenciesfor several years, and this extension of the country’s data retention regime, ushered in during the COVID crisis, may helpsolidify autocracy. The pattern of European countries reaching for location data surveillance also pokes holes in the popular image of the European Union as particularly protective of the right to privacy.

Peru, like some European countries, has also issued a state of emergency decree. It compels telephone companies to grant emergency call centers access to cell sites and GPS data of those who have called the national emergency number and are infected or suspected of COVID-19. The decree also authorizes the emergency call centers to access the historical location data of the devices from which the call was made, including three days before such call. Peruvian digital rights NGOcast doubtsabout the legal basis of such surveillance measures. It also raised concern of potential pitfalls that restricting the right to privacy in a state of emergency can cause in Peru. Regularly Peru has declared a state of emergency in conflict rural areas where activistshave been protesting to defend their land, the environment, and their rights.

South Korea, a country that has been fighting coronavirus outbreaks since the Middle East Respiratory Syndrome (MERS) epidemic in 2015, has dramaticallyrestricted the right to privacyin the context of the pandemic. The Infectious Disease Control and Prevention Act and its enforcement decree allows health officials to obtain sensitive personal data on the infected and those suspected to be infected, as well as their contacts and those suspected to be in contact. Such data includes names, resident registration numbers, addresses, telephone numbers, prescriptions, medical treatment records, immigration control records, credit card, debit card, and pre-paid card statements, transit card records, and CCTV recordings from third parties companies. Police can seize this personal data without consent of the data subjects and without any judicial oversight. The Act also allows health officials and administrators of municipalities to collect location data on the infected (or suspected to be infected) and their contacts (or suspected contacts) from telecommunications operators and location data providers (from cell site and GPS).

Ecuador,the country with thethird-worst COVID-19 outbreakin Latin America, has also relied on executive powers toexpand location surveillanceusing GPS and cell site data. President Lenin Moreno issued a vaguely wordedemergency decreeauthorizing the government to “use satellites and mobile telephone companies to monitor the location of people in a state of quarantine or mandatory isolation”.Latin American NGOsimmediately reacted, reminding Ecuador that any surveillance measure should be necessary and proportionate, and hence, effective to contain the virus. The NGOs statement echos the words of the U.N Special Rapporteurs, who jointlycalled upon U.N Member Statesto follow international human rights standards:

“While we recognize the severity of the current health crisis and acknowledge that the use of emergency powers is allowed by international law in response to significant threats, we urgently remind States that any emergency responses to the coronavirus must be proportionate, necessary and non-discriminatory”.

ConclusionLocation surveillance comes with a host of risks to citizens’ privacy, freedom of expression and data protection rights. EFF has long been fighting against warrantless access to location data or blanket data retention mandates, and has called on governments to be more transparent on their surveillance programs. Especially now, during a major health crisis, in which the government has not shown the efficacy of location data about individuals, governments should be as transparent as possible about what data they are collecting for what purposes. Above all, the necessity and proportionality of any location data surveillance schemes must be demonstrated.

We use cookies to offer you a better browsing experience, analyze site traffic, personalize content, and serve targeted ads. Read how we use cookies and how you can control them in our Privacy Policy. By using our site, you consent to our use of cookies.AcceptRead More